MACE-paccman Call 6-Jan-2011

Attending

Keith Hazelton, U. Wisconsin (co-chair)
Tom Dopirak , CMU (co-chair)
Chris Hyzer, U. Penn.
Tom Zeller, U. Memphis
Billy Cook, Clemson
Boyd Wilson, Clemson
Benn Oshrin, Internet2
Steve Olshansky, Internet2
Emily Eisbruch, Internet2 (scribe)

*New Action Items*

[AI] (Keith) will upload to the MACE-paccman wiki the Gartner use case classifications with proper attribution and send a link to the group.
[AI] (Keith) will check in with Roland re developing a writeup on rules ontology and mapping to a UI.
[AI] (TomZ) will talk to JimF about joining a future MACE-paccman call regarding provisioning and handling authorization with Windows Live and gmail.
[AI] (Chris) will talk with Grouper-dev team about the MACE-paccman Grouper relationship
[AI] (Emily) will resend instructions on how to access the Blakely article on "The Emerging Architecture of Identity Management" (DONE)

*Carry Over Action Items*

[AI] (Keith) will research the cost of the Axiomatics policy server and possibly propose that the MACE-paccman working group purchase a license. (in progress)
[AI] (Keith) will continue to communicate with Clemson colleagues about solving paccman use cases in XACML.
[AI] (Roland) will develop a write up on rules ontology and mapping to a UI.
[AI] (Keith) will work on swimlane diagrams and a business process model for MACE-paccman use cases
[AI] (Rob) will continue to work towards adding caBIG use cases to the MACE-paccman wiki.

Discussion

Priority Projects / Concrete Deliverables for MACE-paccman WG

If the MACE-paccman working group could produce one thing that would substantially help move one of your major projects forward, what would it be?
Keith would like to make progress on evaluating the XACML engine. CMU is also interested in this.
TomD: CMU is interested in work on building out the engineering and design patterns for provisioning ERP applications. CMU is particularly interested in Oracle Financials.
Clemson wants to ensure that their directory structure, and architecture around the XACML engine and policy enforcement, will be interoperable with other institutions. They are looking at how to integrate the XACML work with the core central application they presented at 2010 FMM, and how SAML will tie in. Clemson believes there is value in working together.
Chris said most of his interest is Grouper-related, but he is also interested in XACML.
Grouper currently stores and handles privileges in a static way, without real-time computation. Perhaps the MACE-paccman WG can help by thinking about XACML engines, how they might fit in to Grouper, and how to handle privilege calculations in real time. Chris noted that dynamic group memberships have been discussed by the Grouper-dev team. So this is related to concepts and directions on the Grouper team's radar. There was general endorsement of looking at how PDPs can fit into Group and Priv. Management systems.

Keith: It would be helpful to solve some real-world problems. Bamboo project for humanities research use case could be a good use case.

TomD presented a business issue -- At CMU, the new HR system may be built out of SAAS, with no resident code and no single vendor. In the HR space, most of these SAAS solutions don’t handle authentication and authorization in a sophisticated way -- for the most part they predefine roles in their system and cannot accept an external group membership feed.

Other than handling an AD group, there is a lack of standards. However, PeopleSoft does show some positive direction in their new release where it's is possible to construct an external role out of an external group that is publicly readable.

Keith said that U-Wisc has been meeting with Oracle to discuss group management and course-grained authorization.

TomD: Influencing vendors is a matter of building enough demand and paying attention to what each vendor is doing. It's important to decide what standards we want to promote.

TomZ: U. Memphis is likely going to outsource mail to Windows Live, and U. Memphis plans to use the built-in tool to synch from existing AD to Windows Live. In the future there will be a need for more advanced rules to handle privacy issues and authorizations. XACML could possibly be helpful. The vendor is currently responsive.
It was agreed that there is widespread interest in the relationship between Google APIs and Windows Live.

TomD noted that in AD, the notion of a group, and a mailing list and an access list are often convoluted. The 3 build on common objects.

TomZ suggested that at U-Washington the direction is that users will be allowed to choose either gmail or Windows Live mail. It would be worthwhile to chat with Jim Fox about this.

[AI] (TomZ) will talk to JimF about joining a future MACE-paccman call regarding provisioning and handling authorization with Windows Live and gmail.

Summary: We have identified two possible directions. At the 20-Jan-2011, we should invite people to talk about these topics:
1. Grouper XACML integration, and
2. Provisioning Windows Live.edu and Google.

Updates from Grouper

Chris just finished a Grouper / Atlassian connector.
https://spaces.internet2.edu/display/Grouper/Grouper+Atlassian+connector

Allows auto provisioning and deprovisioning to Atlassian. This connector uses grouper web services. It provides has two levels of caching, in case Grouper is down.
Also, with a large deployment it takes time to retrieve the data, so it has ability to use XMPP update messages.

Q: TomD: Does this work for all Atlassian products?

A: Chris: It works for any product that uses the OpenSymphony interface (which is the interface that Atlassian uses).

This connector also allows you to manage your access control for JIRA and confluence.

Update from MACE-Directories Working Group

Keith noted there is ongoing discussion on the notion of persistent identifiers (Eduperson target ID or EPPN, etc.). There is hope to develop a recommendation.
Some gathering storm to reinvent the SSN by another name.
This topic will be discussed at IAM online panel 12-Jan-2011. http://www.incommon.org/iamonline/

Update from Project Bamboo

Bamboo Project is working on the gateway multi-protocal AuthNZ functionality, to allow a service to be accessible via a choice of SAML, openID, or Windows Live.

CMU is also doing multi-protocol work

Update from FIFER

https://wiki.jasig.org/display/FIFER/Home

Benn has been working on a FIFER initiative related to standard groups interface, an API for group operations.
This work could become a prototype for identity operations as well.

Next Call: Thursday, 20-Jan-2011, 1pm ET